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The development of complex component software systems can be made more manageable by first 
creating an abstract model and then incrementally adding details. Model transformation is an ap¬ 
proach to add such details in a controlled way. In order for model transformation systems to be 
useful, it is crucial that they are confluent, i.e. that when applied on a given model, they will always 
produce a unique output model, independent of the order in which rules of the system are applied on 
the input. In this work, we consider Labelled Transition Systems (LTSs) to reason about the seman¬ 
tics of models, and LTS transformation systems to reason about model transformations. In related 
work, the problem of confluence detection has been investigated for general graph structures. We 
observe, however, that confluence can be detected more efficiently in special cases where the graphs 
have particular structural properties. In this paper, we present a number of observations to detect 
confluence of LTS transformation systems, and propose both a new confluence detection algorithm 
and a conflict resolution algorithm based on them. 


1 Introduction 


In Model-Driven Software Development, model transformation is a well-known technique to incremen¬ 
tally construct complex, often concurrent systems through manageable steps. It allows reasoning about a 
system at a high level of abstraction, and incrementally adding more information until a model has been 
constructed from which source code can be automatically derived. Some transformations add details 
or components to an existing model of a system under development, others refactor a model to make it 
easier to interpret, or translate a model to one written in a different modelling language. To reason about 
model transformations, often graph transformation is chosen as the underlying mechanism (V 231. 

It is crucial, though, that transformations are verifiable, i.e. that the definitions of transformations 
can be qualitatively analysed. Much work has been done on verifying model transformations, e.g. m 
[D, using many different techniques |[^|^. In earlier work, we have developed a formal verification 
technique to determine whether the definition of a model transformation preserves specific safety or 
liveness properties, regardless of the model it is applied on |[^24 -26|. It is applicable on any modelling 
language with a formal semantics that can be captured by Labelled Transition Systems (LTSs), i.e. it 
must be action (or event) based. For example, in our research we focus on the visual modelling language 
SLCO Q, which allows the specification and development of concurrent and distributed systems by 
defining sets of (interacting) finite state machines. 

In our setting, the semantics of models is captured by LTSs, and the semantics of transformations is 
captured by systems of pairs of LTSs, describing which patterns in an input LTS should be transformed 
into which new patterns. By applying the technique from l|6 24 -^ on those pairs of LTSs, we are able 
to determine whether transformation is guaranteed to preserve the structure of any LTS w.r.t. a particular 
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Figure 1: Example of an LTS transformation 


temporal logic formula expressing a desired functional property. If that is the case, then models for which 
this property holds can be safely transformed. 

For example, consider the LTS Cq on the left in Figure [T] It describes a system that can altematingly 
receive messages m and perform computations. The transformation rule ro in the middle defines that 
after each receiving of a message, a postprocessing step should be added. The result of applying the rule 
on the LTS on the left in the figure, produces the LTS T (Cq) on the right. More interesting cases involve 
multiple LTSs describing the semantics of different components running concurrently, and interaction 
between those components is taken into account. 

This setting allows to formally reason about model transformations, which has a number of practical 
applications. For instance, if one desires to develop a system running on specific hardware, fhen an 
absfracf model can be Iransformed fo make if compatible wifh fhaf hardware. In 124|, a Iransformalion 
rule sysfem is given fo transform multi-party communication in models, i.e. involving more than two 
parties at once, into a number of two-party communications following a specific profocol. Mulfi-parfy 
communication can be useful in modelling languages fo reason abouf sysfem behaviour af an absfracf 
level, buf if fhe evenfual implemenfafion cannof use if, fhen such a Iransformalion rule sysfem is useful fo 
aufomafically remove if af some poinf in fhe developmenf process. The abilify fo verify fhe Iransformalion 
rule sysfem in isolalion means fhaf we are able fo determine fhaf if will always produce a correcf oufpuf 
model when applied on a correcf inpuf model. Ofher elaborale examples of LTS Iransformafions are 


given in | ^ 


For model Iransformalion, if is crucial fhaf fhe Iransformalion is always terminating and confluent, 
i.e. fhaf Iransformalion is guaranteed fo finish, and fhaf if always leads fo fhe same solution, i.e. reducl, 
independenl of fhe order in which malches are processed. This is imporlanl, since a user defining how a 
particular sysfem should be Iransformed fypically has a specific resulling model in mind. Therefore, if 
a rule sysfem is nof confluenf, if usually means fhaf fhe user made some mislake. Bofh ferminalion and 
confluence of Iransformalion systems has been sludied before; for insfance, in Q, crileria are given fo 
determine whelher a sysfem is lerminaling or nof. 

Confluence has been fhe subjecl of research in for example 112 T3l[T9] - |2T| . From lerm rewriling, 
we know fhaf a rewrile sysfem is confluenf if if is bofh lerminaling and locally confluenf l[9|. A sysfem 
is locally confluenf iff all possible conflicfs befween fwo Iransformalion applicalions, i.e. direcl Irans- 
formalions, can be resolved according fo fhe Critical Pair Lemma 119-211. For a terminating system, 
determining confluence Iherefore boils down fo doing fwo operations: firslly, fo conslrucl so-called crit¬ 
ical pairs represenfing possible conflicfs befween fwo direcl Iransformafions, and secondly, fo fry fo 
resolve all conslrucled crifical pairs. 

In earlier work on critical pair detection, general graphs have always been considered, meaning lhat 
verfices and edges may or may nof have labels, edges may or may nof be direcled, and graphs can 
consisl of several disconnected subgraphs. Such a general approach is of course very useful, buf when 
considering a more reslricfed selling, if may be possible fo delecf crifical pairs more efficienlly. The 
complexify of slandard crifical pair detection for general graph slruclures is exponential in the number of 
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vertices and edges in the left patterns of two transformation rules, since all possible overlappings between 
the two left patterns need to be taken into account. In 1121, it is demonstrated that if one transformation 
rule deletes elements and the other does not, a check with a linear complexity can be obtained, and when 
both rules do not delete elements, a check with quadratic complexity is possible. 

The contributions of this paper follow from the observation that in our setting, graphs are directed, 
edge-labelled graphs, i.e. LTSs, with all vertices connected with each other via edges (ignoring the di¬ 
rection). These structural properties can be exploited further, along the reasoning of to find critical 
pairs more efficiently; the presence of edge labels allows to check in constant time in some cases, and 
furthermore, we are also able to define a check for critical pairs with quadratic complexity for the case 
that two rules both delete elements. The main conclusion for our setting is that transitions, as opposed to 
states, turn out to play a crucial role in the detection of critical pairs. 


Contribution In this paper, we propose a new critical pair detection algorithm when working with 
LTSs as opposed to general graphs. When formally reasoning about model transformations as transfor¬ 
mations of LTSs, we can immediately benefit from the new algorithm since it can handle many cases 
more efficiently than existing detection techniques | T^[T3p9 -21 1 . It uses a novel approach, constructing 
partial morphisms between LTSs. Whenever such a partial morphism meets certain requirements, a con¬ 
flict can be directly derived from it. Although the worst-case complexity of the algorithm is comparable 
to that of algorithms proposed in related work, it is very efficient in particular cases. The circumstances 
of those cases are explained in detail. Besides that, we also propose an algorithm to try to resolve detected 
conflicts, which is based on observations made in 1^, but we focus on our particular setting. 


Roadmap Sectionj^presents the basic notions, in particular LTS and LTS transformation. In Section]^ 
we investigate conflict detection. From this, we construct a conflict detection algorithm in Sectionj^and a 
conflict resolution algorithm in the same section. Finally, Section|^contains our conclusions and pointers 
for future work. 


2 Background 


In this paper, we focus on action-based semantics of (concurrent) systems. Such semantics are often 
captured using Labelled Transition Systems (LTSs), indicating how a system as a whole or an individual 
component in a system can change state by performing particular actions. 

Definition 1 (Labelled Transition System) An LTS G is a tuple {Sg, Ag, Tg), where Sg is a (finite) 
set of states, Ag is a set of actions, and Tg G Sg x Ag x Sg is a transition relation. Actions in Ag are 
denoted by a, b, c, etc. We use S2 to denote {s\,a,S2) G Tg. If s\ -^g S2, this means that in G, an 

action a can be performed in state 5i, leading to state S 2 . 


We use operations on LTSs such as intersection and difference in the usual graph-theoretical way. 
Finally, an LTS is weakly connected iff the undirected version of an LTS is a single connected component 
(from each state, there is path to each other state). 

In the context of systems consisting of a finite number of concurrent components, we actually rep¬ 
resent system semantics as networks of LTSs \ 141, where the potential behaviour of each component is 
described by a separate LTS, and a synchronisation mechanism is defined describing the potential for 
those LTSs to interact. For example, consider the network on the left in Figure which besides LTS 
Co from Figure [T] also contains the potential behaviour of a component C\ that can at any time send a 
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Figure 2: Transforming networks of LTSs 


message. Below the LTSs, a synehronisation rule is defined stating that send and receive aetions ean 
synehronise, leading to a comm aetion in the LTS of the system. For this to be possible, the parameters 
of send and receive must be identieal, i.e. they must involve the same message m. 

When eonsidering transformation rule systems applieable on networks of LTSs, eonfluenee depends 
on whether the rules in the rule system do not give rise to eonfiiets in either of the individual LTSs, so it 
again boils down to eonsidering single LTSs. For this reason, we do not eonsider networks of LTSs in 
most of this paper. 

Transformation In our setting, ehanges applied on a eoneurrent system model are represented by LTS 
transformation rules applied on the semanties of the eomponents of the model, i.e. on their LTSs. We 
only eonsider weakly eonneeted LTSs as the semanties of eomponents, sinee naturally, the possible states 
that eomponents ean be in should be reaehable from their initial state. To reason about the ehanges, we 
define fhe notions of a rule, and mafehes of rules on eomponenf LTSs. Buf firsf, we infroduee fhe notion 
of LTS morphisms. 

Definition 2 (LTS morphism) An LTS morphism f ‘.Qo^Q\ between two LTSs Qo = {Sg^, Agg, Tgf), 
Q\ = (5pj, Ag ^, 7p() is a pair of functions f = {fs : Sg^ —)■ Sg^ ,f'j-: Tg^ —)• Tpj) which preserve sources, 
targets, and transition labels, i.e. for all s f, we have fj{s ^g^ s') = fs{s) fsi^')- 

We denote the existenee of an injective LTS morphism / from an LTS Qo to an LTS Qi, meaning that 
fs and /rare injeetive, by Qo ^ Qi, and say that Qo and Qi are isomorphic, denoted by iff there 

exists a morphism f \ Qo ^ Qi sueh that both fs and /rare bijeetions. An LTS inclusion i : Qo ^ Q\ is 
an LTS morphism with for all 5 G Sg^, is{s) = ■s, and for all 5 ~^Go ^~^So ‘^0 ~ ^ ■ LTS Qo 

is a sub-LTS of Qi, denoted by Qo Q Qi, iff there exists an LTS inelusion i \ Qo ^ Q\. Finally, we denote 
the faet that a morphism is undefined for a partieular state or transition with _L, for example fs{s) =_L 
means that fs (.s') is undefined. 

Definition 3 (Transformation Rule) A transformation rule r = {C J- 1CTZ) consists of two LTS mor¬ 
phisms / : /C —)■ £, g : /C —)■ 72., where K. ^ Cis an inclusion. LTSs C and 72 are both weakly connected, 
and are called the left and right patterns of r. LTS 1C is the interfaee. 

We eonsider injeetive transformation rules, meaning that /C —?■ 72 is injeetive. With Sc\k.^ we refer 
to the states s in £ that are not represented in 1C, i.e. ff^ (s) =_L. A similar eonvention is used for the 
funetions fp, gs, and gp. States s C Sc for whieh ff^{s) is defined are ealled glue-states. 

f 8 

Definition 4 (Rule Match) A transformation rule r = (£ -^ /C —> 72) has a mateh m : C ^ Q on an 
LTS Q = {Sg,Ag,Tg) ijfm'.C^Qisan injective LTS morphism and Ms G Sc\k-,P C Sg : 

• ms{s) Ap p 3s' G Sc-s ^c s' A ms {s') = p; 
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Figure 3: Double-pushout diagram 


• p-^gms{s) 3s'€ Sc-s'-^c s^fns{s') = p. 

The conditions in Def. [^correspond with the gluing conditions of the double-pushout (DPO) method 
Q for graph transformation, preventing so-called dangling transitions, which are transitions where only 
the source or target state will he removed, hut not both. It expresses that for a state s to be removed, all 
connected transitions must be removed as well. 

Let Q, T-L be LTSs, and m\ C ^ Q n match for rule r. Then Q directly transforms T-L by r and m, 
denoted by Q =^r,m T~L, iff there are two pushouts as in Figurej^ 

Direct transformation is defined as follows, with m' a match between the right pattern and 

the result of the transformation. 

Definition 5 (Direct Transformation) The direct transformation Q =^r.m T~L of an LTS Q = [Sg , Ag , Tg) 
according to a rule r and a given match m : C ^ Q is defined as% = (5^, 7^), where 

• Sn = {Sg\{ms{s) I {Sc\jc)})^ i'Sn\Jc); 

• Tn = {Tg\{mj{{s,a,s')) \ s -^c\k: {m'j{{s,a,s')) | ^ 5'}; 

• An = {a\ 3{s,a,s') eTn}- 

The new set of states 5^ consists of Sg without the states that correspond to the states in the left 
pattern that are not represented in the interface, i.e. the removed states, and with new representatives, 
here represented in the match m', of the states in the right pattern that are not represented in the interface, 
i.e. the newly added states. In a similar way, Th consists of the transitions in Tg without the transitions 
corresponding to left pattern transitions that are not represented in the interface, and with transitions 
corresponding to right pattern transitions that are not represented in the interface. 

An example of a transformation rule introducing a new action is given in the middle of Figure [T] 
Black states with the same index correspond with each other, i.e. for two such states s £ Sc, t ^ S-ji, we 
have gs{fs^{^)) = t- This also holds for the highlighted transition labelled receive(m). 

It is crucial to note at this point that we expect transformation rules to be well-specified, i.e. that they 
specify that input is actually altered, and not replaced by something that can be considered equivalent. 
In particular, we assume that a transition s -^g s is not replaced by a new transition between states s 
and s' with the same label a, nor that a state s is replaced by another state s without transforming any of 
the transitions connected to s (note that LTSs to be transformed are weakly connected, so s always has 
connected transitions). 

Sets of rules together make up a rule system £. Transformation of an LTSs Q according to a rule 
system £ involves identifying all possible matches for each r £'Lon Q, and applying transformation on 
those matches. A transformation from ^ to is a sequence of direct transformations Q = Qo ^ ^ 

Qn = T~L, with n>0. We denote this by Q T-L. 

Figure [^presents a transformation rule ri which can only be applied on Ci, leading to LTS T{C\). 
When combining r\ with ro into a rule system L, it is clear that L is confluent w.r.t. the network given in 
Figuresince tq and ri are not applicable on the same LTSs. The question that remains is whether L is 
confluent for arbitrary single LTSs as well. 
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3 Conflicts Between Direct Transformations 


By Newman’s Lemma p7| , a terminating transformation system is confluent iff it is locally confluent, 
i.e. if for all direct transformations TLq ■^ro,mo Q ^l^ there is a common reduct TL with TLq =>|. TL 

and TLi TL. To determine local confluence, first of all, it has been shown 119] that if two direct 
transformations are parallel independent, then they are locally confluent. In the following, we reason 
about two LTS transformation rules ro = and ri = 7^''*). 


Definition 6 (Parallel Independence) Direct transformations TLq <^ro,mo G ^r^mi 'Hi are parallel in¬ 
dependent iff 

monmi(£'’*) C mo(/C''“) Hmi {K7^) 

The intuition behind Def. [^is that if two matches of one or two rules on an LTS only overlap w.r.t. 
the interfaces of those two rules, then the related direct transformations are parallel independent since 
applying one direct transformation does not invalidate the match for the other direct transformation. We 
say that two direct transformations are in conflict iff they are not parallel independent. The presence 
of a conflict can cause the transformation system to be not locally confluent (specifically, if the two 
derivations do not lead to a common reduct 0). Informally, the conflict is caused because ro deletes 
something that ri uses and/or ri deletes something that ro uses. A concrete conflict can be represented 
by a critical pair, which defines an LTS on which two matches of the given pair of rules exist that imply 
derivations that are in conflict. Clearly, in such an LTS, the two matches must overlap. 


Definition 7 (Critical Pair) Direct transformations TLq •^ro,mo G 'Hi form a critical pair iff they 

are not parallel independent and Q = mo(£'^“) U mi (£'"*). 

Furthermore, we require that mo / mi if ro = ri, and we equate isomorphic critical pairs, which 
informally means that two critical pairs are different if either there exists no isomorphism between their 
^’s, or their matches mo, mi are different. 

The main task when detecting conflicts is to construct a suitable conflict situation Q for pairs of rules 
ro, ri that gives rise to a conflict. Such a Q should be minimal, in the sense that there does not exist an 
LTS Q' with Q' (ZQ and matches m'^ : £'‘° —)• Q', m\ : ^ Q' such that TL'q ■^ro,m'g G' ^rum\ 'H\ is also 

a critical pair. 

In this section, we focus on how to construct a suitable Q efficiently. First, we establish that in order 
to have a conflict in Q, mo{C''°) and mi (£'"') must at least overlap in one transition. This relies on the 
fact that our LTSs Q are weakly connected. If a rule specifies that all states matched on a left pattern 
state s should be removed, then so must all transitions that connect with those states. By the fact that 
such transitions always exist (G is weakly connected) and Def.|^ it follows that the rule must also specify 
explicitly that these transitions must be removed. Hence, a conflict between rules concerning the removal 
of states also must involve the removal of transitions. 


Lemma 1 Direct transformations TLq ^ro.mo G 'Hi are parallel independent iff 

'7mo(£''o)nmi(£''i) — '7mo(A^''o)nmi(/C''i) 

Proof The if case is trivial. If the LTS mQ{C’'°) n mi (£''*) is contained in the LTS mQ{iC°) nmi(/C'‘'), 
then all transitions of mo(£''°) H mi (£''') are contained in mo(/C'’°) H mi (/C'‘‘). 

For the only if case, we reason towards a contradiction. Assume that the direct transformations 
are not parallel independent, i.e. mo(£''“) n mi (£''') % mo(/C''°) nmi(/C''‘), but that 77no(£'‘o)nmi{£''i) C 
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Figure 4: Two rules ro and ri with a possible conflict situation Q 


%iQ(K'-o)nmii!C^i)- Then, we must have that )■ We will prove that this can¬ 
not be the case by reasoning towards a contradiction. Let p G and p 0 5m(,(A:ro)nmi(A:'i)- 

Then, there must exist 5 G with mo,^ ( 5 ) = p andt G Sc/y with mi 5 (t) = p. Since p 0 

we have s 0 Sicq and t 0 5x:'i - Because Q is weakly connected and ri is well-specified, p must have 
at least one in- or outgoing transition which will be removed by the direct transformation Q =^ri,mi 
Let us assume that this is an incoming transition p Ap p (the case of an outgoing transition is simi¬ 
lar). Since mi{t) = p and t G Scn\K:’'i, by Def. ^ there must be a transition t f, with mi 5 (f) = p. 


and m\ j{t A^q t) = p Ag p. Similarly, there must be an 5 G Sea with s -^ea ■5', mo, 5 (f) = p and 
moA'f Agro s) = p Ag p. This means that both p -^maico) P and p P- Also, since p Ag p is 

set for removal, we must have (p,a,p) 0 Tmoiieo) and (p,a,p) 0 But then, Tmo^eo^nmyicn) % 

Aio(a:''o) nmi ) > and we have a contradiction. □ 

The following lemma expresses that parallel independence of rules ro, ri can be concluded if the sets 
of transition labels of yq and ri satisfy certain conditions. We use Ac\k. to refer to the labels for which 
there exists at least one transition in L that is not represented in 1C, i.e. there exists an 5 Ag s' for which 


-^c s') =-L. 


Lemma 2 Direct transformations PLo ^ro,mo G =^ri,mi T~L\ are parallel independent if A ea\K’'a H Agq = 
0 and Ae\ |igq n Aea = 0 . 

Proof By reasoning towards a contradiction. Assume that {Aea\K.’'a) Acn = 0 and (Agq|ygq)n 
Aea = 0, but that the direct transformations are not parallel independent. From Lemma [TJ it follows 
that TmQ{ea)fMni(c^y) must be non-empty. So, there must exist a transition 5 A,„g(gro)nmi(z:n) s' that 
is not in mo{lC''°) nmi(/C''‘). From this, it follows that a G Aea, a G Agq and a 0 Ajco- But then, 
Aeaiieo n Ae\ A we have a contradiction. □ 

Lemma will be used as a first check in a conflict detection algorithm in the next section. If for two 
rules, the mentioned intersection of action sets of left patterns is empty, then it is not possible to construct 
critical pairs. Since this can be checked in linear time, assuming that set membership can be checked in 
constant time, it helps to avoid more involved conflict detection for many cases in practice. 

Consider the example illustrated in Figure [4j For the two rules yq, r\, we have Aea\K.'a = {b} and 
Aei = {^A}, hence Ag'-o|x;''o n Agq = 0 , but ,^q |ygq = {a, d} 2 mA Aea = {a,b}, so Agq |ygq n Ag'-o = 
{a}. This means that there is potential for a conflict situation, and a valid conflict situation is actually 
illustrated on the right in Figure]^ In the given LTS G, applying the direct transformation defined by 
C' matched on the lower part of G results in an LTS on which can still be matched. However, note 
that can be matched on G involving the curved a-transition and the Zj-transition. Since yq removes 
the matched a-transition, this means that the possible match of C' on G is removed when applying the 
direct transformation of ro- 

Next, we concentrate on constructing minimal conflict situations G for pairs of rules yq, ri. We will 
do so by constructing a relation between states s G Sea, t G 5gq that expresses the potential to match 
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•••!• •• 



LTS£--o (s) C LTSe [p) A LTS^a (t) C LTSg (p) 


ClQ, . . . . . . 



LTSc^ (?) E LTSr^o (s) C LTSg(p) 


Figure 5: Matching rule left pattern states on the same LTS states 

them on the same state p in an arbitrary LTS. If a non-empty relation can be constructed, then a conflict 
situation can be derived from it. 

Two states s G Sco, t G Sen can only be matched on the same state p if their in- and outgoing 
transitions are in some sense compatible. Since C''° and C' are weakly connected, we know that s and t 
must have in- and/or outgoing transitions. To reason about these, we define the notion of a context LTS 
of a state. 

Definition 8 (Context LTS) Given an LTS Q, we say that for a state p G Sg, the context LTS LTSg (p) = 
{Sp,Ap,Tp) is defined as follow s: 

• Sp = {p' I 3a G Ag.p -^g p' V p' -^g p}U{p}; 

• Ap = {a\ 3p' G Sg.p ^g p' V p' -^g p}; 

• Tp = {{p,a,p') \ p-^g p'}U{{p',a,p) Ip'A gp}. 

Figure shows the conditions under which we are able to match two left pattern states on the same 
state. On the left, the case where both states are glue is covered. In the figure, glue-states are coloured 
black. The figure expresses that any two glue-states s and t can be matched on a state p as long as p has 
matchable transitions for all the transitions of s and t. Say that state s has n -|- 1 incoming transitions with 
labels ao,---,an, and n' -|- 1 outgoing transitions with labels bo,..., bn', and state t has m -|- 1 incoming 
transitions with labels cq,... ,c,n, and m' -|- 1 outgoing transitions with labels do,.. .,d„r, then p should 
have matchable transitions with all those labels. Of course, some transitions of s and t may be matched 
on common transitions of p, i.e. the two matches together could be non-injective. 

Below the figure on the left, this condition is formalised as follows: we must have that LTS£ro ( 5 ) C 
LTSg(p) ALTS£n(t) IT LTSp(p). This directly follows from the fact that matches are injective LTS 
morphisms (Def.[^. 

On the right in Figure the condition for the possibility to match two states on the same state is 
given for the case that at least one of those states is non-glue. In the figure, non-glue states are coloured 
grey, and state t may be either non-glue or glue. The condition expresses that for all incoming and 
outgoing transitions of t, 5 must have corresponding transitions with the same label. This is formalised 
as LTS£q (t) T LTS£'^o(i') T LTSp(p). The idea is that if t has transitions that s does not have, then 
matching s and t on the same state p would not be possible due to the gluing conditions. Again, the fact 
that LTS£ro (s) T LTSp(p) and LTS£<i (f) T LTSp(p) should hold follows from the fact that matches are 
injective LTS morphisms. That LTS£n (t) T LTS£ro (s) needs to hold follows from the following lemma. 

Lemma 3 Let s G 5£ro\y£'^o, t G Sen be states. Then there can be no matches mo : -^Q, m\\ — )■ Q 

on an arbitrary LTS Q with mo, 5 ( 5 ) = p and m\^s{l) = Pfor some p G Sg ifLTSen (t) % LTSe'o (s). 
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Proof. By reasoning towards a contradiction. Assume that LTS^q (t) g LTS^^o (s) holds, and that we have 
matches mo : Q, mi : C' —Q with mo^s{s) = p and m\ s{t) = p. Since LTS£'i (t) g LTS£''o(i') 

and C’'° and £''* are weakly connected, we must have that at least one transition in LTS^q (?) cannot 
be mapped on a transition in LTS£ro(i'). Say that this is an incoming transition of t. The case that 
it is an outgoing transition of t is similar. We refer to this transition as t' t. Since, by Def. 
LTS^q (?) C £'■ 1 , and since m\ is an injective LTS morphism, m\ s{t') and mi jit' ?) must be 
defined. Let us say that m\^s{t') = p\ and mijf' A^q ?) = p' Ag p. By the fact that LTS£ro(i') 
contains all the incoming and outgoing transitions of 5 (Def. [^, and by the facts that ?' A^q ? cannot be 
mapped on a transition in LTS^^o ( 5 ) and LTS^^o ( 5 ) c £''<>, it follows that p' an^' Ap p are not matched 
by the LTS morphism mo- But, since 5 G Sc''o\k:''o and p' Ag mo, 5 ( 5 ), by Def. 4 we must have that there 
exists an s' G Sco such that mo,s{s') = p', and we have a contradiction. □ 

Note that the condition on the right in Figure implies what needs to hold if both s and ? are non¬ 
glue. If s is non-glue, we must have that LTSgq (?) Q LTSgrg (s) L LTSg(p), but if ? is non-glue, we must 
have LTSg'-o ( 5 ) □ LTSgq (?) C LTSg(p), i.e. we must have that LTSgi-o ( 5 ) ~ LTSgq (?). 

Figurej^gives rise to defining a relation between left patterns of rules, where states s and ? are related 
iff it is conceivable to construct a situation (in the form of an LTS) in which matches mo and mi relate s 
and ? to a common state p, and likewise for transitions. Having such a relation, it follows from Lemma[T] 
that if it at least relates two transitions of which at least one is not represented in the interface of the 
corresponding rule, then the inferred situation is a conflict situation, i.e. there are direct transformations 
that are in conflict. We will use such a relation later on to reason about all possible conflicts involving 
two given rules, by iterating over all pairs of states from their left patterns. 

Next, we define this relation between left patterns, and after that, we explain how a conflict situation 
can be constructed from a concrete relation. 

Definition 9 (Conflict Compatibility Morphism) Let s G ? g Sen- A partial LTS morphism f : 
£'"'’ —)■ £'’* is a conflict compatibility morphism if it is injective and fs{s) = t implies that 

• If s G and t G Sci then 

- ift Agq ?' then S Ag'o s' with fs{s') = t', fj{s Ag'o s') = ? Agq ?'; 

- ift Agq ?' then S s' with fs{^') = i'< fri^ ^CO s') = t Agq ?'. 

• If s G Sco andt G Sci\ic''i 

- ifs Agro s' then t Agq t' with fs{s') = t', fj{s Ag'o s') = ? Agq ?'; 

- if S Agi-o s' then t Agq ?' with fs{s') = t', fj{s ^co s') = t Agq ?'. 

• If s G Sca\K’'o and t G Sci\K’'i then 

- ifs Agro s' then t Agq ?' with fs{s') = t', fj{s Ag'o s') = t Agq ?'; 

- ifs Agro s' and t Agq ?', then fs{s') = t', fj{s 4^co s') = ? Agq ?'. 

- ift Agq t' then S Ag^o s' with fs{s') = t', fj{s Ag^o s') = t Agq ?'; 

- ifs Agro s' then t Agq t' with fs{s') = t', fjjs Ag'o s') = t Agq ?'. 

Note that Def.|^does not state anything about the case that both s and ? are glue-states. Unlike in the 
other cases, in which the gluing conditions are relevant because at least one non-glue state is involved, 
two glue-states can always be related to each other. This means that an LTS morphism which only 
relates glue-states and no transitions is also a conflict compatibility morphism. However, by Lemma [T] 
such a morphism does not directly represent a conflict situation. We are not interested in just any conflict 
compatibility morphism, but those for which / 7 -is defined for some transitions. In fact, given two left 
patterns £'’“, £'"* and two states s G Sco, t G Sci, we are interested in the largest conflict compatibility 
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Co Cl Cf 



Figure 6 : A conflict compatibility morphism between left patterns Cq, Ci, and the corresponding conflict 
situation Cf 


morphism / for which fs{s) = t, and its domain of definition, i.e. the part of for which / is defined, 
is a weakly connected LTS. 

For example, consider the two LTSs Co and Ci on the left in Figure A conflict compatibility 
morphism / with fs{s\) = ti could be defined without relating any other states and transitions, but it 
would not represent a conflict. Instead, the largest possible morphism / with fs{si) =t\ and a weakly 
connected domain of definition also relates with to, and the a-transitions. In particular, S 2 A 53 and 
t 2 —)• L are not related by /, since that would make its domain of definition not weakly connected. 

Note that for two states s, t, there can be more than one conflict compatibility morphism of interest, 
particularly if there are multiple options to relate states and transitions. 

In the remainder of this paper, each conflict compatibility morphism is the largest possible with a 
weakly connected domain of definition, in the sense that no morphism can be constructed that contains 
it and also has a weakly connected domain of definition. 

Given s G Sen and t G Sen , we can now construct conflict compatibility morphisms /. From /, C^°, 
and Cf we can construct a conflict situation. For this, we use mo, m\ to map and £''* to isomorphic 
LTS structures. 


Definition 10 (Conflict Situation) Let f : C'° —)■ be a conflict compatibility morphism, and mo {C ‘^'), 
ni\{Cfi LTSs isomorphic to C^ and C', respectively. Then, a conflict situation LTS Cf can be con¬ 
structed as follows: first, determine the boundary B of f consisting of all states s G C’^° such that fsi^:) 
is defined, but for some transition s s' (or s ^c''o ^)< fri^ ^') (or fj{s ^')) A not. Then, 

L = mi(C' \f{C°)) Umi(/(B)) can be glued to mQ(C°) by merging each state s G mo(B) with the 
corresponding state s' G mi(f{B)). The result is Cf. 


On the right of Figure]^ the conflict situation is presented which results from applying Def. 10 


on 


the conflict compatibility morphism between Co and Ci given on the left in the figure. The boundary B 

is defined as B = {i'l}, since fsi^t) = h, but /t/^i -^Cq ^ 2 ) =-L- Then, L is the LTS isomorphic to Ci 
without to and the a-transition between to and t\ (indicated in C/ in the figure), and L is glued to an LTS 
isomorphic to Co by merging the states related to and t\ (resulting in the square state in the figure). 


4 Conflict Detection and Resolution Algorithms 

The findings presented in Section can be used to construct a new conflict detection algorithm. It is 
presented in Alg. [T] Given two rules, the algorithm tries to determine whether there can be an LTS for 
which it is possible to construct direct transformations that are in conflict. The decision procedures are 
sorted by their complexity. If full analysis is needed, i.e. all possible conflict compatibility morphisms 
have to be computed, then attempts can be restricted to those pairs of states s G Sc^o, t G Sen that share 
an outgoing transition label, and for at least one of the two states, an outgoing transition with that label 
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Algorithm 1 Conflict detection algorithm 

Require: Rules ro = ,TV«),ri = {C^, ) 

Ensure: Returns set of conflicts between ro and rj 
C = 0 

2: if n ^£<'1 — 0 and n — 0 then 

return 0 // Lemma|2] 

4: if C'o ~ /C'o A £'■1 ~ /C' then 
return 0 // See |12| 

6: for all s e , t g do 

if Aour (■^) Aoiir (t) ^ 0 or (‘^) Aoitt {t) ^ ® then 
8 : for all conflict compatibility morphisms / : with /5 (i) = f do 

if /t- is defined for at least one transition then 
10: add Cf to C // Definitionj^ 

retnrn C 


viA 



Figure 7: A Critical Pair may be resolvable 


will be removed when transforming. This directly follows from Lemma [TJ which implies that in order 
to have a conflict, at least one transition needs to be involved which is matched on by both rules ro 
and ri and removed by at least one of these rules. To formalise this, we use the following notation: 
•^outi^) = {a ^ Aco I 3^ —)-£ro 5 '} is the set of labels of outgoing transitions of s, and Aout{s) = {a G 
Ac;^ I 3s s'.fj^^{s ^') =-L} is the set of labels of outgoing transitions that are set for removal. 

At line 2, the action sets are compared, which can be done in 0(|^|) time, with A = Aco yjAcn ■ At 
line 4, we use a check from p^ , based on the fact that two non-deleting rules can never be in conflict. 
This can be determined in C>(|5| + \7]) time, with |5| and \7] the total number of states and transitions 
in the two left rule patterns together. Next, full checking for conflict compatibility morphisms (lines 
7-10) requires worst-case to compare the two left LTS patterns for all pairs of states, i.e. its complexity 
is 0{\S\'^ ■ \T\ ■ log |5|), since a comparison of two LTSs can be done in 0{\T\ ■ log |5|) time, using the 
equivalence checking algorithm of Paige & Tarjan 1181. 

Compared to earlier work, our detection algorithm has a number of advantages. First of all, compar¬ 
ison of the action sets can be done in linear time, and is, unlike other special case optimisations, such as 
those in 1121, also applicable when both ro and r\ remove some transitions. Second of all, not all possi¬ 
ble pairs of states s G Sco , t G Sen need to be considered in detail. Just by considering their outgoing 
transitions first can we quickly resolve many combinations in practice. This exploits the fact that LTSs 
are weakly connected, or more specifically, that most states have outgoing transitions. 

It is a known fact in graph transformation that the existence of critical pairs does not guarantee that a 
transformation system is not confluent. For example, consider the system in Figure]^ Rules ro and ri are 
clearly in conflict, since they both concern an a-transition in their left pattern. They also define different 
transformation results, namely a b- and a c-transition, respectively, so direct transformations on an LTS 
Q consisting of a transition s -Ag s' constitute a critical pair. However, consider that there is a third rule 
r 2 in the system, which transforms Z^-transitions into c-transitions. Then Q can be transformed to an LTS 
consisting of a single c-transition either by first applying ro and then r^, or by applying r\. The conflict 
represented by the critical pair can be resolved. 

Another example is the conflict situation in Figure It cannot be resolved if the rule system only 
consists of rules ro and r\. Applying first the direct transformation of r\ removes the match of mo on 
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Figure 8: The need for strong joinability 


and applying first the direct transformation of rg, followed by the one of ri leads to a different LTS, in 
which instead of the f7-transition there is now a c-transition. 

Since the existence of critical pairs does not mean that a transformation system is not confluent, a 
necessary condition needs to be found for a critical pair to actually be an example why a system is not 
confluent. Plump | [^ demonstrates that for so-called coverable transformation systems of hypergraphs, 
i.e. graphs where the edges can be associated with multiple source and target vertices, it suffices fo show 
fhat all the critical pairs are strongly joinable, meaning that independent of which of the two involved 
direct transformations is applied on the conflict situation, the system can transform the resulting graph to 
a graph that is structurally equivalent to the graph that can be obtained if the other direct transformation 
had been applied first. Since LTSs are a special kind of hypergraph, and since our LTSs are always 
coverable (an important criterium is that LTSs can be extended with a cover consisting of transitions 
with fresh labels), we can directly take the result from | [2T| for our setting. To define strong joinability 
formally, we first need to define fhe nofion of a track morphism, based on |20|. Such a morphism 
explicifly involves relafions befween sfafes based on the fact that they have been matched by the same 
interface state. 


Definition 11 (Track Morphism) Given a direct transformation Q ^r,m T~L, the track morphism trg^y^ : 
Q ^TL is the partial LTS morphism defined by 


irg^uis) 


tn'sigs{fs\>ng\^)))) tf fs\mg\s)) is defined 
_L otherwise 


The morphisms m, m', f and g are as shown in Figure Track morphisms can be defined for 
sequences of direct transformations in a similar way, where for two direct transformations Q ^TL and 
TL TL', trg^-u^-ufs) is defined as tr-u^-^ o trg^'n{s). 


Definition 12 (Strong Joinability) Given a transformation system £, a critical pair TLq '^ro,mo Q 
%\ is strongly joinable if there are derivations TLi =>1 Xi, for i = 0,1, an isomorphism / : Tq —?■ Xi, and 
for each state s G Sg, if both trg^p^fis) and trg^p^^ ( 5 ) are defined (that is, s is persisting), then 

L trg^'Ug^*^Xo{^) and Irg^y^^^^.^^ {s) are defined; 

■ 2 - fsilfg^riQ^^Xoi^)) trg^'f-i^^^Xii.s)- 


Def. [T^ not only expresses that the LTSs Xq and X\ need to be isomorphic, but besides that, that 


the states that persist along direct transformations Q 


ro,mo 


no, Q 


ri ,mi 


Tf 1 , i.e. that are matched by 


glue-states of both ro and ri, are in the end still present in both Xq and Xi, and relatable to themselves. 
Consider the example in Figure]^ Rule ro can be applied in two ways on the given input. The results are 
isomorphic, but not in a bigger context (the dashed c-transition). To detect this, one should compare on 
which states the glue-states are matched. 

Plump 1211 gives some suggestions how a transformation system can be equipped with a cover to 
determine whether a critical pair is strongly joinable. Based on that, we use the following approach: 
for a given critical pair, we define copies of ro and r\ which we call ro*^ and ri^, respectively, and we 
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Algorithm 2 Conflict resolution algorithm 

Require: Conflicts in set C 

Ensure: Returns false iff there exists a conflict in C that cannot be resolved, true otherwise 
for all ('Ho '^ro,mo Hi) C C do 

2. apply Cf Hq andCy Hj 

compute Hf and 'H^ 

4: apply HJ' A^o and H|^" A*! 

if Ao 9 ^ Ai or transformation failed then 
6: return false 

return true 


extend both and such that for each state s in (and likewise in we add a self-loop 

transition with the fresh, unique label K to gs{s). These selfloops, when the left pattern of ro'^ or ri*^ is 
matched on part of the conflict situation, are therefore introduced when applying a direct transformation, 
and then serve the purpose of marking the states that have been matched on glue-states. In this way, we 
can obtain LTSs TIq and T-L^, i.e. the LTSs Tio and TZi extended with the tc-selfloops. Once we have 
these, we relabel the tc-selfloops in Hq and Hf, such that each state s has a selfloop labelled tQ, and after 
that, remove those fQ-selfloops that do not appear in both LTSs, i.e. that are not associated with s in both 
Hq and Hq. We call the resulting LTSs Hq" and H'^". 

Subsequent matches for rules r G £ can only be established if they do not match a non-glue state on a 
persisting state, since trying to do so would violate the gluing conditions w.r.t. the related tQ-selfloop. If 
it is detected that such a violating ‘match’ can be made, then the critical pair is not strongly joinable, and 
the transformation fails. Besides that, each time a match has been established, we remove all fc^-selfloops 
of states s that have not been matched by any state. 

In this way, states that persist along a sequence of direct transformations will still have their tQ- 
selfloop in both Xq and X\. Then, it suffices to check that Xq and Xi are isomorphic. 

In Alg. our conflict resolution algorithm is presented, which can be used to determine, based on 
the constructed critical pairs, whether a transformation system is locally confluent, by establishing that 
all critical pairs are strongly joinable. With we refer to applying a direct transformation after the 
removal of tQ-selfloops of all the states that are not matched by states of the related transformation rule. 
The complexity of Alg. depends on the complexity of graph transformation, which is performed in 
lines 2 and 4, which in turn is dominated by the complexity of finding matches at line 4. In general, 
the graph matching problem Q is NP-complete. However, it has been shown in Q that if the graphs 
have a root, all states are reachable from that root, and each state has a bounded number b of outgoing 
transitions, then the complexity is independent of the size of the input graph, instead only depending on 
b and the number of transitions n in the left pattern of the transformation rule. The complexity is then 
0{L1^Qb'). Since our LTSs are weakly connected, they meet these requirements. The other operations 
at lines 3 and 5 in Alg. |^can be performed in 0(|5| -|- |7j), since they require scanning all states and 
transitions in the LTSs once. 

It has to be noted that if conflict detection is performed before resolution, all possible critical pairs 
need to be constructed. If instead, detection and resolution are mixed, i.e. each time a new critical pair 
is detected, it is immediately tested for resolvability, then non-confluent transformation systems can be 
identified as such as soon as a pair has been found that cannot be resolved. In practice, this means that 
the construction of all possible critical pairs can often be avoided. 

Following, a proof sketch is given to show correctness of the technique. Consider a transformation 
system £ that is not confluent. Therefore, there exists an LTS Q such that there are two direct transforma¬ 
tions Ho •^ro,mo G ^1 that are not parallel independent. By Lemma[T| this means that there must 
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be at least one transition in Q, say with label a, that is matched on by both mq and mi, and at least one 
of the two rules removes v. Let s and t be the source states of the transitions Xs and v, in and that 
match on v, respectively, and let ro define that v must be removed. In Alg. |T| since a G Ac^o\ic^o H Aa\ ^ 
line 3 is skipped, and since 9 ^ line 5 is skipped. We have a G Aout{s)CA„ut{t), hence at line 8 , 
conflict compatibility morphisms will be computed with fs{s) = t. Since we only consider the largest 
possible conflict compatibility morphisms with a weakly connected domain of definition, we must have 
that fj{xs) = Xf. If not, then either the source or target states in and are not relatable via /, 
which would mean that there is a gluing condition violation (Defs. and |^, but that would mean that 
there can be no overlap of matches of ro and ri that involves and v,. This would be in contradic¬ 
tion with the fact that there is a conflict between rg and ri involving x. By Def. [T^ a conflict situation 
Cf = mo(£''°)Umi (£'■*) is constructed at line 10 in Alg.j^with mgj{xs) representing the overlap between 
Vi and Xt- The subsequent inability to resolve the conflict using Alg. |^can be proven along the lines of 
the proof in l^ . 

The case that a given system is confluent can be proven as follows: in general, Alg. [T] will produce 
some (possibly zero) conflicts. These conflicts, though, will be resolvable. This can be proven along the 
lines of the proof in 1 ^. 


5 Conclusions 


In this paper, we discussed how conflicts in LTS transformation systems can be efficiently detected and 
resolved. For the detection, we proposed a novel approach that tries to construct partial morphisms be¬ 
tween the involved rule patterns. In particular cases, the absence of conflicts can be determined in linear 
time, for instance when one rule only removes transitions that another rule will never match on, because 
it does not refer to the particular transition label(s). This is a big improvement over previous approaches. 


like e.g. in |12|, since it is also applicable for two deleting rules, i.e. rules that remove transitions. For 


the resolution of conflicts, we have proposed an algorithm inspired by | 211 , but taylored to our particular 
setting using LTSs. For future work, we will consider extensions, e.g. 0 [ni> to extend our framework in 
comparable ways. Finally, for formal verification purposes, a hierarchy of different forms of confluence 


(ranging from strong to weak) has been identified concerning the behaviour described by LTSs 1151. It 


would be interesting to see how these relate to confluence variants in the setting of graph and model 
transformation. 
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